VoIP Is Scary

Computerworld -

Imagine that you deliver an application with 100%, instant-on availability. Security is rock-solid. Costs are dropping. Users never complain. And anytime you upgrade, even if you buy software and gear with new features from a different vendor, user acceptance is always immediate and training virtually nil.

That's your phone system. And VoIP threatens to break it by opening your phone network to the profusion of security hazards your IT environment faces.

That's not to say our POTS (plain old telephone service) is unbreakable. One of the legends of hacking is Cap'n Crunch, who got his nickname from decoding the audible signals on phones by using a whistle from a box of the cereal. The hackers who followed in his footsteps didn't break into POTS for the free long-distance service. They did so to access the computers connected to it. But they don't need POTS any longer; they've got the Internet now.

So users have been able to ring you up when their systems have crashed after someone let loose variants of the SoBig or Klez viruses on your network. But with VoIP, users might not even be able to do that, since its infrastructure is vulnerable to the same attacks by the world's bottomless pit of sociopathic hackers.

VoIP security isn't just important. It's everything. Steven Harris, an analyst at IDC, sums it up simply: "Security is a precondition to a deployment of VoIP."

That's a tough precondition, given that VoIP technology is built largely on Linux or Windows, uses Web application servers, runs over the IP network and, in some cases, uses the browser as an alternative to a handset. Is there anything in that list that doesn't have gaping security holes in it? The list doesn't include the VoIP application. And research firm Gartner claims that about three-fourths of the security attacks in 2005 will strike at the application level. If you think VoIP apps won't be favorite virus targets, you're wrong.

Edwin Mier tested VoIP products from Cisco Systems and Avaya last year for Network World, one of our sister publications, and concluded that while security is "possible," it's so complex and vendor-specific that only the bravest and the smartest will deploy it widely . He left out the foolhardy.

So, why on Earth would any sane IT manager want to get involved with a project as risky as VoIP? Well, your CFO likes it, for one. IDC, among others, is telling him that 20% savings on telco charges "is common." For companies that run up millions of dollars per month in phone costs, that kind of savings can be very compelling.

But compelling enough? Mike Hrabik, chief technology officer at Solutionary, which does security risk management in Omaha, says IT managers need to be aware that VoIP systems must be patched for security as often as your app servers. However, he warns, some VoIP vendors lag as much as 30 days with patches for the OEM systems they deploy, leaving your phone network vulnerable even after you've patched the IT side.

Hrabik, whose company uses VoIP for internal and some branch-office connections, thinks cost savings are nice, but the best reason to use VoIP is to deliver more-productive applications, such as integrating both voice mail and e-mail so users can get all of their messages from any device -- cell phone, laptop, PDA or whatever. For a company with a large field sales and support organization, that kind of application could generate more dollars in sales than it saves in telecommunications costs.

Combining substantial cost savings with a significant productivity boost might indeed be worth the risk of jumping into the shallow end of the VoIP pool to get comfortable with the technology.

Jim Vale, a product manager at network management and analysis firm Network General in San Jose, says there are some basic ways to design a secure VoIP network. First, conduct a comprehensive vulnerability analysis of your network and of the VoIP gear before you attach anything to your network. Next, segment your VoIP traffic, which isolates security problems and has the added benefit of dedicating that segment for streaming protocols used by voice. Also, apply quality-of-service rules for your IP traffic, assuring priority for streaming data. Dropped calls and poor aural performance can be indicators of a security problem. Finally, monitor like crazy.

Rolling out VoIP only to save money isn't worth the risk. Coupling savings with a powerful application might make it worth a very careful try. But just barely.